What is a passkey and how can it replace traditional passwords?

Recently, Google made this important feature available to its Android and Chrome systems that will allow users to use their own devices to log into different websites, services and applications without any password, and with the launch of iOS 16, Apple launched one of the major security features that will be available For users it is a Passkey feature.

What is a passkey?

Passkey is a standard designed to remove traditional passwords for online authentication and identity verification. Earlier this year, Apple, Google, and Microsoft teamed up with the FIDO Alliance and the World Wide Web Consortium to work on removing passwords to confirm users' identities across platforms.

Apple announced its own version of this standard called Passkey at the Worldwide Developers Conference (WWDC) in June, and said it will be available on macOS Ventura, iOS 16 and iPadOS 16.

Passkeys can reduce the risk of account hacking because they remove passwords, which can be leaked or exposed. In addition, passkeys are not reused across websites and applications, so the risks of using the same data to hack your different accounts may be over.

How does a passkey work?

The passkey is based on the WebAuthn standard, so users can use biometric authentication such as Face ID, Touch ID, or use a PIN to verify identity. At a higher level, rather than relying on a username and password combination, passkeys use your device to prove that you are the rightful owner of the account.

If you head to a website that supports a passkey, like this one, you can see a new sign-in option that uses devices or data stored in iCloud Keychain, and if you don't have an account previously registered on the sites, it may ask you for some basic information like email without having to password. Each time you try to sign in, your device will automatically be recognized and sign in with email only.

Passkeys work by creating a pair of keys, a public key and a private key. The public key is stored in the cloud and shared between devices that have their private keys while the private key is stored on the device. This ensures that if the cloud is hacked, the attacker does not have both keys to gain access. to the accounts.

Currently a few websites and online services support passkeys, but it is likely that many will increase over time as developers start to support passkeys in their services.